Tweet
Bùi Nguyễn Hoàng Long
VnPro
I. Mô tả:
Thực hiện cấu hình IPSec VPN xác thực bằng pre-share key, đảm bảo hai mạng 172.16.1.0/24 và 192.168.1.0/24 có thể giao tiếp được với nhau sau khi VPN được thiết lập.
II. Cấu hình
Cấu hình chính sách ISAKMP
ciscoasa(config)# crypto isakmp policy 10
ciscoasa(config-isakmp-policy)# authentication pre-share
ciscoasa(config-isakmp-policy)# encryption 3des
ciscoasa(config-isakmp-policy)# hash md5
ciscoasa(config-isakmp-policy)# group 2
Cấu hình chính sách IPSec
ciscoasa(config)# crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
Định nghĩa luồng dữ liệu được bảo vệ
ciscoasa(config)# access-list VPN extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
Cấu hình Crypto map
ciscoasa(config)# crypto map MYMAP 10 match address VPN
ciscoasa(config)# crypto map MYMAP 10 set peer 151.1.1.2
ciscoasa(config)# crypto map MYMAP 10 set transform-set MYSET
Gán Crypto map vào cổng
ciscoasa(config)# crypto map MYMAP interface outside
Kích hoạt ISAKMP trên cổng
ciscoasa(config)# crypto isakmp enable outside
Cấu hình tunnel-group
ciscoasa(config)# tunnel-group 151.1.1.2 type ipsec-l2l
Xác định thuộc tính IPSec
ciscoasa(config)# tunnel-group 151.1.1.2 ipsec-attributes
ciscoasa(config-tunnel-ipsec)# pre-shared-key vnpro
III. Cấu hình đầy đủ
ASA1
ASA Version 7.2(2)
!
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 150.1.1.2 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
access-list VPN extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
route outside 0.0.0.0 0.0.0.0 150.1.1.1 1
crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
crypto map MYMAP 10 match address VPN
crypto map MYMAP 10 set peer 151.1.1.2
crypto map MYMAP 10 set transform-set MYSET
crypto map MYMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 151.1.1.2 type ipsec-l2l
tunnel-group 151.1.1.2 ipsec-attributes
pre-shared-key *
: end
ASA2
ASA Version 7.2(4)
!
hostname ASA2
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 152.1.1.2 ca.vnpro.vn
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 151.1.1.2 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list VPN extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 151.1.1.1 1
crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
crypto map MYMAP 10 match address VPN
crypto map MYMAP 10 set peer 150.1.1.2
crypto map MYMAP 10 set transform-set MYSET
crypto map MYMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
tunnel-group 150.1.1.2 type ipsec-l2l
tunnel-group 150.1.1.2 ipsec-attributes
pre-shared-key *
!
: end
IV. Kiểm tra
Thực hiện lệnh PING trên PC để kiểm tra kết nối
Trạng thái ISAKMP cho biết kết nối được thiết lập thành công
ASA2# sh crypto isakmp
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 150.1.1.2
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Trạng thái IPSec SA
ASA2# sh crypto ipsec sa
interface: outside
Crypto map tag: MYMAP, seq num: 10, local addr: 151.1.1.2
access-list VPN permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
current_peer: 150.1.1.2
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 151.1.1.2, remote crypto endpt.: 150.1.1.2
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 90BEDA8E
inbound esp sas:
spi: 0xA29BFB99 (2728131481)
transform: esp-3des esp-md5-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1, crypto-map: MYMAP
sa timing: remaining key lifetime (kB/sec): (4274999/28527)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x90BEDA8E (2428426894)
transform: esp-3des esp-md5-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1, crypto-map: MYMAP
sa timing: remaining key lifetime (kB/sec): (4274999/28527)
IV size: 8 bytes
replay detection support: Y
VnPro
Thực hiện IPSec VPN xác thực với Pre-shared
I. Mô tả:
Thực hiện cấu hình IPSec VPN xác thực bằng pre-share key, đảm bảo hai mạng 172.16.1.0/24 và 192.168.1.0/24 có thể giao tiếp được với nhau sau khi VPN được thiết lập.
II. Cấu hình
Cấu hình chính sách ISAKMP
ciscoasa(config)# crypto isakmp policy 10
ciscoasa(config-isakmp-policy)# authentication pre-share
ciscoasa(config-isakmp-policy)# encryption 3des
ciscoasa(config-isakmp-policy)# hash md5
ciscoasa(config-isakmp-policy)# group 2
Cấu hình chính sách IPSec
ciscoasa(config)# crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
Định nghĩa luồng dữ liệu được bảo vệ
ciscoasa(config)# access-list VPN extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
Cấu hình Crypto map
ciscoasa(config)# crypto map MYMAP 10 match address VPN
ciscoasa(config)# crypto map MYMAP 10 set peer 151.1.1.2
ciscoasa(config)# crypto map MYMAP 10 set transform-set MYSET
Gán Crypto map vào cổng
ciscoasa(config)# crypto map MYMAP interface outside
Kích hoạt ISAKMP trên cổng
ciscoasa(config)# crypto isakmp enable outside
Cấu hình tunnel-group
ciscoasa(config)# tunnel-group 151.1.1.2 type ipsec-l2l
Xác định thuộc tính IPSec
ciscoasa(config)# tunnel-group 151.1.1.2 ipsec-attributes
ciscoasa(config-tunnel-ipsec)# pre-shared-key vnpro
III. Cấu hình đầy đủ
ASA1
ASA Version 7.2(2)
!
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 150.1.1.2 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
access-list VPN extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
route outside 0.0.0.0 0.0.0.0 150.1.1.1 1
crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
crypto map MYMAP 10 match address VPN
crypto map MYMAP 10 set peer 151.1.1.2
crypto map MYMAP 10 set transform-set MYSET
crypto map MYMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 151.1.1.2 type ipsec-l2l
tunnel-group 151.1.1.2 ipsec-attributes
pre-shared-key *
: end
ASA2
ASA Version 7.2(4)
!
hostname ASA2
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 152.1.1.2 ca.vnpro.vn
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 151.1.1.2 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list VPN extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 151.1.1.1 1
crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
crypto map MYMAP 10 match address VPN
crypto map MYMAP 10 set peer 150.1.1.2
crypto map MYMAP 10 set transform-set MYSET
crypto map MYMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
tunnel-group 150.1.1.2 type ipsec-l2l
tunnel-group 150.1.1.2 ipsec-attributes
pre-shared-key *
!
: end
IV. Kiểm tra
Thực hiện lệnh PING trên PC để kiểm tra kết nối
Trạng thái ISAKMP cho biết kết nối được thiết lập thành công
ASA2# sh crypto isakmp
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 150.1.1.2
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Trạng thái IPSec SA
ASA2# sh crypto ipsec sa
interface: outside
Crypto map tag: MYMAP, seq num: 10, local addr: 151.1.1.2
access-list VPN permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
current_peer: 150.1.1.2
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 151.1.1.2, remote crypto endpt.: 150.1.1.2
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 90BEDA8E
inbound esp sas:
spi: 0xA29BFB99 (2728131481)
transform: esp-3des esp-md5-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1, crypto-map: MYMAP
sa timing: remaining key lifetime (kB/sec): (4274999/28527)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x90BEDA8E (2428426894)
transform: esp-3des esp-md5-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1, crypto-map: MYMAP
sa timing: remaining key lifetime (kB/sec): (4274999/28527)
IV size: 8 bytes
replay detection support: Y
Comment